I am not 100% confident what I am asking is possible but I'd love it to be confirmed. Here is what our setup would look like, I’ve explained a bit below: DEVICE ---> PRX3 (HTTPS CACHE) ---> PRX2 ---> PRX1 ---> INTERNET Our current environment is a bit behind the times and inflexible. We have a local squid proxy/cache (PRX2) that we do not fully control that only caches HTTP content. This proxy is downstream from another proxy which is also HTTP (PRX1). Both just TUNNEL HTTPS. PRX1 is the only way out of our WAN to the internet. We would like to start caching HTTPS (PRX3) because these other proxies are not and it is costing us bandwidth. With the config below and a direct internet connection I can successfully connect and cache HTTP/S content. However, this won’t work in our environment. We must go through a cache peer either PRX1 or PRX2, adding either upstream proxy as a cache peer parent results in either SSL errors or the request not being forwarded to the peer. I think what I need to do is TUNNEL the bumped request to PRX2 over HTTP. I thought squid 4 could do this but can’t find any docs for it so it may have been wishful thinking. *--- SSL Error ---* (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE) Handshake with SSL server failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number *--- SSL Error ---* *--- squid.conf ---* ## Proxy # Only allow addresss in our subnet acl LAN src 10.141.28.0/22 http_access allow LAN http_access deny all cache_mem 500 MB maximum_object_size 5000 MB range_offset_limit 5000 MB # Set proxy port enable ssl bump, set root cert http_port 3128 ssl-bump tls-cert=/etc/squid/CA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE ssl_bump bump all # Set cache directory and settings [type] [dir] [MB] [L1 = number of first level subdirs] [L2 = number of second level subdirs] [[options]] cache_dir diskd /srv/cache 10000 64 72 never_direct allow all cache_peer 10.141.28.19 parent 800 0 no-query no-digest refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 *--- squid.conf ---* *--- squid version info --- * Squid Cache: Version 4.4 Service Name: squid This binary uses OpenSSL 1.1.1a 20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--sbindir=/usr/bin' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-digest' '--enable-auth-negotiate' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,ufs,diskd,rock' '--enable-delay-pools' '--with-openssl' '--enable-snmp' '--enable-linux-netfilter' '--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests' '--enable-referer-log' '--enable-htcp' '--enable-carp' '--enable-epoll' '--with-large-files' '--enable-arp-acl' '--with-default-user=proxy' '--enable-async-io' '--enable-truncate' '--enable-icap-client' '--enable-ssl-crtd' '--disable-arch-native' '--disable-strict-error-checking' '--enable-wccpv2' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt' *--- squid version info --- * -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
